Using mschap authentication without EAP

Thibault Le Meur Thibault.LeMeur at supelec.fr
Fri Jul 21 12:59:00 CEST 2006


> Well, after some changes in OpenLDAP config, this is the result:

So your first issue was openldap related...


> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
> cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful

Bind as manager is ok...

> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
> ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc)
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
> misterc is allowed by userPassword
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
> {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
> directory...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
> Auth-Type, value LDAP & op=21
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
> User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
> directory...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
> remote access

Great rlm_ldap has retreived everything needed.

> Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
> ok) for request 0

Now it's time to run the authenticate module

> Fri Jul 21 11:15:51 2006 : Debug:   rad_check_password:  Found Auth-Type
> LDAP
> Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
> Fri Jul 21 11:15:51 2006 : Debug:   Processing the authenticate section of
> radiusd.conf

Ldap module will be used (that is to say a bind with the user's 
credential will be attempted, provided that the request contains the 
necessary data.

> Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
> Fri Jul 21 11:15:51 2006 : Debug:   modsingle[authenticate]: calling pap
> (rlm_pap) for request 0
> Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required
> for authentication. Cannot use "CHAP-Password".

Well, it seems that your radius client is trying CHAP and not PAP. You 
wrote in a previous mail that the request was:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
       User-Name = "misterc"
       CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
       CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
       NAS-IP-Address = 0.0.0.0
       Service-Type = Login-User
       Framed-IP-Address = 192.168.182.2
       Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
       Called-Station-Id = "AA-AA-AA-AA-DD-AA"
       NAS-Identifier = "nas01"
       Acct-Session-Id = "44bfd15d00000000"
       NAS-Port-Type = Wireless-802.11
       NAS-Port = 0
       Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
       WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"


That means that your client is trying MS-CHAP, and MS-CHAP can't be 
used with something else than NT-Hash passwords or cleartext passwords 
in the authorize backend (in your case LDAP).

Thibault




More information about the Freeradius-Users mailing list